Database password written to process list

[plockaby]

Environmental Info:
K3s Version: k3s version v1.18.4+k3s1 (97b7a0e)
Node(s) CPU architecture, OS, and Version: Linux pluto 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux

Cluster Configuration: one master, five workers
Describe the bug:
If you initialize a k3s cluster with database connection details in it those details are written directly to ps. For example:

$ curl -sfL https://get.k3s.io | sh -s - --datastore-endpoint=postgres://k3s:supersecret@localhost:5432/k3s

$ ps -ef | grep k3s
root       3799      1  8 Jul10 ?        04:32:08 /usr/local/bin/k3s server --datastore-endpoint=postgres://k3s:supersecret@localhost:5432/k3s

Steps To Reproduce:

• Installed K3s: see the description above

Expected behavior:
I would expect, at a minimum, that the password would be replaced with asterisks in the ps output. It might also be great to be able to put the password into a configuration file rather than store it in the systemd configuration file.

Actual behavior:
The password is free to anyone to see who has any access to the system.

Additional context / logs:
I suppose that one such solution to this would be to put the postgres database password into a .pgpass file owned by root but that wouldn't work for mysql, I don't think.

[brandond]

This is probably best addressed by either

• using environment variables instead of command-line args
• waiting for Add config file support #1899 and putting the datastore uri in the config file

[plockaby]

Those are both good ideas and reasonable solutions but I don't think that they go far enough. As long as you accept a database URI on the command line, the application should venture to obscure the password from visibility. IMO this is actually a security issue but I did not see anywhere to submit security bugs.

[cjellick]

FYI, You can submit security issues to [email protected], but no need to change or resubmit this issue since it is already in the open.

[brandond]

@plockaby does this work for you?

[plockaby]

This is perfect. Thanks for looking into it so quickly!

[rancher-max]

Validated using the current latest commit

This now just shows the server or agent command, without additional args:

$ curl -sfL https://get.k3s.io | INSTALL_K3S_COMMIT="6fcec6aea9fcb8d79c7020cdea217ac40ccac72c" sh -s - server --datastore-endpoint="mysql://user:pass@tcp(somedb:3306)/k3s"
$ ps -ef | grep k3s
root        4064       1 56 19:01 ?        00:00:09 /usr/local/bin/k3s server
ubuntu      4327    2047  0 19:01 pts/0    00:00:00 grep --color=auto k3s
root        4328    4096  0 19:01 ?        00:00:00 /var/lib/rancher/k3s/data/d8a1e0e2fcdb1dc0a99617cda153dee4de24891e3ba102a9c272ef52e5695db4/bin/unpigz -d -c